Question for source sink analysis

[nix7965]

Hi, I referred to https://github.com/unsw-corg/SVF/wiki/Write-a-source-sink-analyzer
In my case, I have two types of sources.

1. Typical source from some functions.
2. Some variables in "class". (=class variable )

My target program runs in a loop, and class variable will go out via sinks.
This class variable is computed with class variable, arithmetic operations and source (external source).

In this case, is there a way to designate "class variable" as sources?
From my observation, some node contains variable names. So, if I could get such node in some way, there may be some way to do. But I am not sure.

Note that class variable can be changed directly via arithmetic operations (e.g., classA.a = classA.a + 30)

[yuleisui]

Hi Kim,

SVF is built on top of LLVM compiler. It accepts LLVM IR as its inputs instead of source code.
You may wish to first understand the representation of LLVM IR (http://llvm.org/docs/LangRef.html) before selecting sources and sinks in a program.

For example, "var = var + 30" will be translated into a SSA form, in which "var" will be split into two different variables on the right/left hand sides of the assignment to represent unique definitions.

SVF models memory objects (including field objects of a class object, like "classA.a") at their allocations. You need to map an object to a SVFGNode, which either allocates or accesses the object, then you can perform a simple graph traversal on top SVFG to achieve your goal as described in https://github.com/unsw-corg/SVF/wiki/Write-a-source-sink-analyzer.

Thanks.

[nix7965]

Hi, I have additional question for source and sink analysis.
As I mentioned, I want to designate source as a subobject in class.

In this image, Node 23 has multiple objects. I think each subobject has own id. So, in this case, are 10, 13, 16, 17, 22 and 26 actual ID? If so, sometimes their values are overlapped, which is strange.
If it is not true, then, how to refer to subobject?

[yuleisui]

Please refer to SVFG.cpp from lines 907-1197. This is the best way to figure out nodes, edges and their colors and ids on a SVFG.

For example,
NodeID 23:
101<-102
10 13 16 17 22 26

23 is the id of the SVFGNode. 101<-102 in the green box denotes the address constraint (e.g., p=&q), where 101 and 102 are ids for the two variables. Finally "10 13 16 17 22 26" are five callsite ids corresponding to the five call edges highlighted in red.

Note that "ander_svfg.dot" is an optimized version of SVFG (https://github.com/unsw-corg/SVF/wiki/Technical-documentation#323-svfg-optimization), you can also refer to "SVFG_before_opt.dot" for an original version of SVFG (http://www.cse.unsw.edu.au/~ysui/papers/cc16.pdf).

The aim of using dot graph for us is to debug analysis built on SVFG. You can also dump SVFG into any format suitable for your purpose if you think you can draw a better one.

[nix7965]

Thank you. I solved this problem. So, I closed it.